Murat ASLANBAKAN Personal Page

FortiSwitch has a command that allows you to verify the condition of the cables and express one of the following states. Open  (when the cable is not connected) Short OK Open_Short Unknown Crosstalk CLI command diagnose switch physical-ports cable-diag <Name of Physical Port> Example # diagnose switch physical-ports cable-diag port1 port1: cable (4 pairs, length +/- 10 meters) pair A Open, length 0 meters pair B Open, length 0 meters pair C Open, length 0 meters pair D Open, length 0 meters Note: When this command is executed, the equipment will interrupt service to be able to run tests on the cable, so it is recommended to use the command in a maintenance window.

Fortinet İşletim sisteminin yeni sürümü olan FortiOS 6.2 kullanıma sunuldu. Yeni sürümde 120'den fazla yeni özellik tanıtılıyor. Yeni özellikler, aşağıdaki bileşenlerde işletim sisteminin farklı yönlerini geliştirmektedir. Security Fabric Security Fabric VDOMS desteği Security Fabric Yeni Unsurların Desteklenmesi:  FortiMail FortiWeb FortiADC FortiDDOS FortiWLC Yeni Fabric Connectors Desteği Aynı Cloud türüne birden çok bağlantıyı destekleme (örneğin, Azure veya AWS'deki iki farklı ortama bağlantı) Yeni Cloud bağlantılarına destek: AWS bulut ortamlarında Alibaba AliCloud, VMware ESXi ve VCENTER, Azure Stack, Openstack ve Kubernetes, Azure, Oracle, Google GPC veya Private Bulut. Harici yayınlardan oluşturulan dinamik kategoriler yoluyla IP, DNS (DNS Filtresi) veya URL (Web Filtresi) seviyesindeki trafiği engelleyebilme. SD-WAN Tünellerin toplanması ve Paket Başına Load Balancing dahil, IPSEC’deki iyileştirmeler. Yeni FEC işlevselliği (Forwared...

A new service known as "Cloud-Assisted One-Click VPN" (Cloud-Assisted One-Click VPN) has been introduced since version 6.0. OCVPN is a Cloud-based solution that greatly simplifies the provisioning and configuration of IPsec VPNs. The Administrator activates OCVPN with one click, adds the required Subnets, and then the configuration is complete. The OCVPN solution automatically updates each FortiGate, creates VPNs on registered computers, and the service is automatically changed using a dynamic IP even if one of the computers changes its WAN IP. The service has the following limitations Fortigate Firewall must have a valid FortiCare Support license. Only Full-mesh VPN configurations using PSK encryption are supported. Public IP addresses must be used (Fortigate cannot join behind a NAT router) Non-root VDOMs and FortiGate VMs are not supported. Up to 16 nodes can be added to the OCVPN cloud, each consisting of up to 16 subnets. You can find the details of the configuration...

Fortinet has multiple authentication solutions in their Fortigate and FortiAuthenticator products, but deciding which solution is best for each environment can be difficult. We'll go over the different options in this post. Authentication methods FG with Captive Portal This is open authentication (not Transparent), but no infrastructure is required and can even work without LDAP or RADIUS. Recommended for guest networks or low infrastructure environments. FG con LDAP Polling It is the most basic solution of SSO, only the firewall asks LDAP to check the users name. It has the advantage of not needing to deploy agents, the disadvantage is limited to very large or complex environments, so it is often used in small spaces. FG with DC-Agent (TS-Agent and other agents) In this deployment, specific Agents are activated in Domain Controllers and Terminal Server to control users' mobility. The Collector (distributed on a server or Windows PC) is responsible for collecting all users...

The "Link-Fail-Signal" command allows us to force switches next to the Cluster Fortigate unit to refresh their MAC tables, which will be useful if the Switches do not refresh their MAC tables correctly. Normally, after Link Failover, the new Primary sends Gratuitous ARP (GARP) packets to refresh the MAC forwarding tables of the switches connected to the Cluster. In some cases, Switches ignore GARP packets and continue to reference the MAC address of the port. So the transaction fails on the Fortigate side and continues to send packets. You can use the following command to prevent a Cluster unit with Monitored Interface connection from turning off all interfaces (except Heartbeat Interfaces and HA Mgmt Interfaces) after Link Failure occurs. config system ha set link-failed-signal enable end If cluster computers are managed with a Mgmt interface, it must be specified, otherwise the port on which it is managed is Down. config system ha set link-failed-signal enable en...

Safe deletion of data from hard disks in FortiAnalyzer can be achieved with the CLI command. The operation with the command is actually writing all sectors of the hard disk with random data. As an option, the command lets us choose the number of iterations, up to 35, that we want to do on this hard drive to ensure that data cannot be recovered. The command to perform the aforementioned secure erase is as follows. execute format disk deep-erase [ number_iterations ]

Extension mechanisms for DNS (EDNS) is a feature that expands the size of various DNS protocol parameters with size restrictions when it comes to increased protocol functionality. The first set of extensions was published by the IETF as RFC 2671 (also known as EDNS0) in 1999. EDNS0 means a DNS UDP message length greater than 512 bytes. Some Firewalls may block such a message, assuming the maximum size of the DNS message is 512 bytes. Since FortiGate Version 5.2 it supports EDSN0 and DNS messages greater than 512 bytes in length.

You can drastically change all types of settings for multiple profiles simultaneously from FortiMail's graphical interface, this process is called "Batch Edit". This process can be applied to Session profiles, AntiSpam, Antivirus, Content and Resources. The only requirement to be able to "Batch Edit" on multiple profiles is if they all belong to the system category or the same domain. For example, if we want to disable Greylist option of multiple profiles at once with Antispam, we can do the following. In the profiles we want to change, we will make the selections by pressing the shift or control key Once all are selected, click on "Batch Edit". We will disable Profile's Greylist option. If we click on "Apply To All", what we have changed will be applied to all selected AntiSpam profiles. If we click on the "Apply" option, all the selected profiles will appear in order, and each can be individually modified.

In version 6.0, Automation rules were introduced that allow automation of a series of actions before certain events. An example of this is the possibility to quarantine when the device is detected to be compromised or to initiate a Log via API (Webhook) when a particular Event Log is created. There are two types of actuators (Triggers-triggers) that cannot be configured via the graphical interface, but that we can configure with the CLI, and we will see that the configuration made on the CLI side is then reflected in the GUI. These methods take effect when the CPU is at very high values or enters Conserve mode with high memory. To configure them, we will launch the following commands from the CLI. high cpu low-memory first config system automation-trigger edit "cpu" set event-type high-cpu next edit "memoria" set event-type low-memory next end Once the trigger is configured, we will create a new Automation rule and associate it with the trigger configured in the ...

Server Load Balance Content Routing support for Virtual Servers L2 TCP / UDP / IP Routing can be determined according to the source addresses VS L7 for FTP with FullNAT DNAT/Transparent Mode support Support for Health Checks of Oracle DB on Virtual Servers Proxy replacement for ADFS is complete Enhancements for Virtual Server SIP SupportNATofMediaServerAddress KeepClientAddressofUDPtrafficforSIPserver New functions for scripts created in FortiADC Authenticationeventandoperation ookieencrypt/decrypt AESencrypt/decrypt URLencode/decode/parse Base32 Fileoperation Randomgeneration  get_pid HTTP:respond Global Load Balance New distribution method based on CPU and Server memory usage  The "Server-Performance" method dynamically sends the DNS request to the server with the lowest CPU/Memory usage. Security New JSON schema validation functionality added to the XML validation feature already available in previous versions. Supporting Black Lists Based on IP Reputation It is possible t...

SSL inspection on Fortigate is a mechanism that can be used to protect and inspect the content of encrypted sessions, find and block threats. SSL inspection not only protects against attacks using HTTPS, but also against other commonly used encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS. A full SSL inspection (Deep Inspection) should be used to ensure that all encrypted content is inspected. When SSL inspection is used, Fortigate acts as the receiver of the source SSL session and decrypts and inspects its content, Then the content is encrypted again, a new SSL session is established between Fortigate and the receiver by impersonating the sender, and the content is freed from threats. It is possible to "Mirror" or send a copy of the traffic Decrypted by SSL inspection to one or more Fortigate interfaces so that the traffic can be collected by the Raw Packet Capture tool for archiving or analysis. Mirroring occurs after it is processed by the SSL Decoder and at the s...

From version 6.0 of FortiOS, permissions must be granted with commands to enable "Extended Logs" in IPS, Antivirus, Webfilter, Application Control, and DLP protection profiles. This means more domains, more traffic details, and the HTTP method used, UserAgent, Type, etc. It allows us to see requests. It can be activated in Flow Mode, profiles such as Application Control, IPS, Antivirus, Webfilter, DLP. To enable Extended Logs, we must make the necessary definitions with the CLI in each security profile we want to enable. Here you can see all the examples to activate in each of the profiles and sensors. Application Control config application list edit "nombre_perfil" set extended-log enable end IPS config ips sensor edit " nombre_sensor " set extended-log enable end Antivirus config antivirus profile edit " nombre_perfil" set extended-log enable end Webfilter config webfilter profile edit " nombre_perfil" set in...

When there is a problem with HA (High Availability) synchronization, there is a command that can tell us which part of the configuration is not synchronized correctly. HA checksums are organized into sections and subsections. With the "diagnose sys ha checksum show" command, we can view the Hash values of the global Configuration and Root Vdom configuration. While running this command on Cluster Nodes, if we notice a difference in any of them, we can tell that something is out of sync. CLI diagnose sys ha checksum [global | root | all] [element name] For example, if we have seen different Hash or Checksums in the Global, we can verify that the items in the global are not synchronized by executing the command "diagnose sys ha checksum show global" on all Nodes. If we verify that the hash system.global differs between Nodes, we can continue to examine with the command "diagnose sys ha checksum show global system.global" , we can see the general settings...

SD-WAN functionality enables Fortigate to choose the best Wan output to an application, perform other QoS and security applications. Also at the level of security policies it is very simple to manage because as the target interface it is only necessary to put “SD-WAN” which will contain all the WAN interfaces that make it up (for practical purposes it works like a Zone) It is common for these SD-WAN supported security policies to activate NAT output, and Fortigate gives us the option to exit with the IP of the exit interface or exit with an IPPool. However, if you don't associate each IPPool with an interface, connection errors will occur, as Fortigate will assign that IPPool without ordering. The way to solve this is to associate IPPools objects with a wan interface, this way, Fortigate knows which one to use at any given moment and for each WAN interface of SD-WAN. This Example will be done via the CLI. config firewall ippool edit "IPPOOL-WAN1" set startip 1.1.1.1 se...

It is recommended to enable the snat-route-change command in security policies where Source-Nat is implemented (common on Internet access and SD-WAN), because when enabled the routing information is deleted from the table. When SNAT is not valid for a session, it means that SD-WAN sessions can be 100% stabilized and redirected if an SD-WAN rule is changed  without waiting for the session to expire. (for example, by increasing the latency on one of the SD-WAN lines)  With this configuration disabled (by default) after a routing change, sessions created with SNAT will continue to use the same exit interface, provided the previous route is still active or has expired (although the route is no longer optimal) config system global set snat-route-change enable end

The main innovation is the change in having the same look (GUI) as the rest of Fortinet products. However, other interesting new features of the functionality SAML IDP Proxy Transparent authentication SAML protocol allows browsers to perform SSO. FAC can act as SP (requesting authentication) or IDP (providing it). As of 6.0, Proxy IDP can act as well, The aim is to be able to provide 2FA without having to change cloud providers' IDPs.        User-Sync LDAP improvements You can now also assign a role when users are synced. OATH server Third-party tokens can now be verified with OATH via the REST API. Integration with FortiNAC SSO monitoring improvements Customizable FAC error pages In addition to customizable messages (registration, Token delivery, user-portal etc.) you can now customize error pages 500, 503, 404 and 403.       Integration with FortiOS From FortiOS 6.2, the user information, authentication and status of the FAC can be seen in Fort...

As of Fortimail 6.0.4, the encryption level it supports for both HTTPS connections and SMTP connections is configurable in detail. The configuration method is defined by the CLI as follows admin-global access control config system global set ssl-versions tls1_0 tls1_1 tls1_2 end  Control emails The following controls connections from FortiMail to other gateways. config system security crypto edit mail set ssl-versions tls1_1 tls1_2 next end In the initial configuration, we will leave both TLS.1.0, TLS 1.1 and TLS 1.2 open to administrative access, but for SMTP mail connection, it will only support TLS 1.1 or TLS1.2.

FortiOS has implemented an improvement in version 6.2 that provides greater traffic control flexibility by combining control in Proxy mode and Flow mode simultaneously with Firewall or VDOM. To remember the differences between proxy mode and Flow mode         Flow Mode It is the default inspection mode and is fast. It keeps the client-to-server TCP session intact. Proxy Mode The TCP connection is split into two parts. Allows Full Buffering (Allows certain audit functions like DLP mode, ICAP, SSH Audit as well as some extra features like Safe Search, Java/ActiveX/Cookies, Quotas in WebFilter mode, etc.) In previous versions of FOS (from 5.4 to 6.0) all policies of the same VDOM had to follow the same inspection mode (Flow Mode or Proxy mode) As of FOS 6.2, the possibility to combine audit policies in Proxy mode with others in Flow Mode simultaneously in the same VDOM has been implemented. Note: The selection of Inspection mode is made in each policy. In the im...

As of version 6.2, the C&C Botnet defense configuration has been integrated into the IPS security profile, thus combining multiple security options against Botnets within a single option in the IPS profile. “ Security Profiles>Intrusion Prevention>Botnet C&C” Block Malicious URLs opens. Apply the security profile to the relevant security policies for the IPS engine to start scanning for links to Botnet sites.

The new functionality of Split-Task VDOM Mode simplifies deployments where Management VDOM and Traffic VDOM are required. Management Vdom It is used for infrastructure management, in principle it is not used to handle data traffic, but only for management. Traffic Vdom This Vdom provides separate security policies from the administration part that apply to network traffic. This function adds " Security Fabric" support in VDOM function in Split-Task mode. Steps to allow functionality>Operation to allow VDOM Mode via GUI/CLI CLI config system global set vdom-mode split-vdom end GUI Fortigate System> Settings In the System's Operations Settings section, Virtual Domains opens Then select Split Task Vdom, choose Dedicated Management Interfaces. This interface will be used to access VDOM management and cannot be used in FW policies.

As of FortiWeb 6.1.0, you can manage signature updates in an advanced way. New signatures via FortiGuard updates, the administrator will be responsible for choosing which signatures you want with the default action and keeping them in Signatures only. This function is disabled by default. To configure this mode, it can be used by the CLI with the following command: config waf signature_update_policy set status enable end Afterwards, a new tab will appear in System>Config>FortiGuard. There are three options for signatures: Disable:  Disable signature in all policies. Approve:  Leave its signature with its default action in its category. Undo:  Undo previous actions.

Transparent Web Proxy According to version 6.0, the configuration way has been simplified. The pictures below show how to define the Proxy Options profile with HTTP Policy Redirect option enabled and then enable redirection option for Transparent proxy in it. Transparent Web Proxy for HTTPS When enabled, "certificate-inspection" or "deep-inspection" can be selected. It is recommended to use "deep-inspection" as it allows its use. Active authentication scheme Advanced Web Proxy Address Transparent Proxy to disable HTTPS can be done by selecting the new SSL profile "no-inspection" which allows HTTPS traffic if redirected Transparent Web Proxy for Proxy Forwarding In previous versions, this functionality was only available for Explicit Proxy. It is not necessary to configure redirection and a possible use case would be for example all Internet-targeted HTTP/HTTPS traffic needs to be sent Transparent through proxy to a cloud security provider. In t...